LastPass Hacked!

An unknown threat actor used information from the August 2022 incident to access a cloud-based storage environment. In August 2022, some source code and technical information were stolen from our development environment and used to target another employee, obtaining credentials and keys to access and decrypt some cloud-based storage volumes. No customer data was accessed.

LastPass production services use on-premises data centers and cloud storage for backups and regional data residency requirements. The threat actor's cloud storage is physically separate from our production environment.

The threat actor copied basic customer account information and related metadata from backup, including company names, end-user names, billing addresses, email addresses, telephone numbers, and the IP addresses from which customers accessed LastPass.

The threat actor also copied a backup of customer vault data from the encrypted storage container, which is stored in a proprietary binary format that contains both unencrypted data like website URLs and fully encrypted sensitive fields like website usernames and passwords, secure notes, and form-filled data. Our Zero Knowledge architecture uses 256-bit AES encryption to secure these fields. Only a user's master password can decrypt them. LastPass never knows or stores the master password. Only the LastPass client encrypts and decrypts data.

https://blog.lastpass.com/2022/12/notice-of-recent-security-incident/